Action Summary

Management should monitor service provider performance
and potential changes in institution requirements throughout the
life of the contract. Monitoring should encompass:

Key service level agreements (SLAs) and contract
provisions;

Financial condition of the service provider;

General control environment of the service provider through the
receipt and review of audit reports and other internal control
reviews; and

Potential changes due to the external environment.

Financial institutions should have an oversight program to
ensure service providers deliver the quantity and quality of
services required by the contract. The monitoring program should
target the key aspects of the contracting relationship with
effective monitoring techniques. The program should monitor the
service provider environment including its security controls,
financial strength, and the impact of any external events. The
resources to support this program will vary depending on the
criticality and complexity of the system, process, or service being
outsourced.

To increase monitoring effectiveness, management should
periodically rank service provider relationships according to risk
to determine which service providers require closer monitoring.
Management should base the rankings on the residual risk of the
relationship after analyzing the quantity of risk relative to the
controls over those risks. Relationships with higher risk ratings
should receive more frequent and stringent monitoring for due
diligence, performance (financial and/or operational), and
independent control validation reviews. Personnel responsible for
provider oversight should have the necessary expertise to assess
the risks and should maintain suitable documentation. Management
should use the oversight documentation when renegotiating contracts
as well as developing contingency planning requirements.

User groups are another mechanism financial institutions can use
to monitor and influence their service provider. User groups can
participate and influence service provider testing (i.e., security,
disaster recovery, and systems) as well as promote client issues.
Independent user groups can monitor and influence a service
provider better than its individual clients. Collectively, the
group will constitute a significant portion of the service
provider's business.